Delegations will find attached the declassified version of the above document.

Transcription

1 Council of the European Union Brussels, 8 February 2017 (OR. en) 13203/1/16 REV 1 DCL 1 GENVAL 103 CYBER 112 DECLASSIFICATION of document: dated: 31 January 2017 new status: Subject: 13203/1/16 REV 1 RESTREINT UE/EU RESTRICTED Public Evaluation report on the 7th round of mutual evaluations "The practical implementation and operation of European policies on prevention and combating cybercrime" - Report on the Czech Republic Delegations will find attached the declassified version of the above document. The text of this document is identical to the previous version /1/16 REV 1 DCL 1 dm DG F 2C EN

2 Council of the European Union Brussels, 31 January 2017 (OR. en) 13203/1/16 REV 1 RESTREINT UE/EU RESTRICTED GENVAL 103 CYBER 112 REPORT Subject: Evaluation report on the 7th round of mutual evaluations "The practical implementation and operation of European policies on prevention and combating cybercrime" - Report on the Czech Republic 13203/1/16 REV 1 CN/ec 1 DGD2B RESTREINT UE/EU RESTRICTED EN

3 ANNEX Table of Contents 1. EXECUTIVE SUMMARY INTRODUCTION GENERAL MATTERS AND STRUCTURES National cyber-security strategy National priorities with regard to cybercrime Statistics on cybercrime Main trends leading to cybercrime Number of registered cases of cybercrime Domestic budget allocated to prevent and fight against cybercrime and support from EU funding Conclusions NATIONAL STRUCTURES Judiciary (prosecutions and courts) Internal structure Capacity for and obstacles to successful prosecution Law-enforcement authorities Other authorities/institutions/public-private partnership Cooperation and coordination at national level Legal or policy obligations Resources allocated to improve cooperation Conclusions LEGAL ASPECTS Substantive criminal law pertaining to cybercrime Council of Europe Convention on Cybercrime Description of national legislation A/ Council Framework Decision 2005/222/JHA on attacks against information systems and Directive 2013/40/EU on attacks against information systems B/ Directive 2011/93/EU on combating sexual abuse and sexual exploitation of children and child pornography C/ Online Card fraud D/ Other cybercrime phenomena Procedural issues Investigative Techniques Forensics and Encryption E-Evidence Protection of Human Rights/Fundamental Freedoms Jurisdiction Principles applied to the investigation of cybercrime Rules in case of conflicts of jurisdiction and referral to Eurojust Jurisdiction for acts of cybercrime committed in the 'cloud' Perception of Czech Republic with regard to legal framework to combat cybercrime Conclusions /1/16 REV 1 CN/ec 2

4 6. OPERATIONAL ASPECTS Cyber-attacks Nature of cyber-attacks Mechanism to respond to cyber-attacks Actions against child pornography and sexual abuse online Software databases identifying victims and measures to avoid re-victimisation Measures to address sexual exploitation/abuse online, sexting, cyber bulling Preventive actions against sex tourism, child pornographic performance and others Actors and measures countering websites containing or disseminating child pornography Online card fraud Online reporting Role of the private sector Other cybercrime phenomena Conclusions INTERNATIONAL COOPERATION Cooperation with EU agencies Formal requirements to cooperate with Europol/EC3, Eurojust, ENISA Assessment of the cooperation with Europol/EC3, Eurojust, ENISA Operational performance of JITs and cyber patrols Cooperation between the Czech authorities and Interpol Cooperation with third states Cooperation with the private sector Tools of international cooperation Mutual Legal Assistance Mutual recognition instruments Surrender/Extradition Conclusions TRAINING, AWARENESS-RAISING AND PREVENTION Specific training Awareness-raising Prevention National legislation/policy and other measures Public Private Partnership (PPP) Conclusions FINAL REMARKS AND RECOMMENDATIONS Suggestions from the Czech Republic Recommendations Recommendations to Czech Republic Recommendations to the European Union, its institutions, and to other Member States Recommendations to Eurojust/Europol/ENISA Good practices in the Czech Republic Annex A: Programme for the on-site visit and persons interviewed/met Annex B: Persons interviewed/met Annex C: List of abbreviations/glossary of terms /1/16 REV 1 CN/ec 3

5 1. EXECUTIVE SUMMARY The mission to the Czech Republic was very well organised in an efficient and cordial way by the national authorities. The evaluation team was able to meet representatives of the various authorities involved in the field of preventing and fighting cybercrime, including the Ministry of the Interior, the Ministry of Justice, the Unit for Combating Organised Crime of the Criminal Police and Investigation Service, Analytics and Cybercrime Department of the Regional Directorate of the Police of the Southern Moravian Region, Institute of Criminalistics Prague, Supreme Public Prosecutor's Office, National Security Authority/National Cyber Security Centre and representatives of academia and non-governmental organisations. During the visit, the representatives of the Ministry of the Interior in charge of the evaluation visit did everything to provide the evaluation team with clarifications on the legal and operational aspects of detecting, preventing and combating cybercrime, international judicial cooperation in criminal matters and cooperation with EU agencies, cyber security strategy, training, etc. The meetings helped the evaluation team gain a better understanding of the responses provided in the questionnaire and of the national system in the Czech Republic. The evaluation team on its mission to the Czech Republic also recognised the essential effort made by the many speakers who gave presentations highlighting organisational matters, human resources issues, workflow in investigations, the main trends in the field of cybercrime, prevention and awareness raising, training, international police and judicial cooperation especially in relation to Europol, Interpol and Eurojust legislation (including recent changes), the criminal justice system, cooperation among national institutions, academia, industry and non-governmental organisations, national strategies to combat organised and serious crime, and strategies on national security and national cyber security /1/16 REV 1 CN/ec 4

6 A judge was present for the first day of the visit, when the team met representatives from the police. The team appreciates the effort of CZ authorities to include judges in the evaluation visit, although their presence would have produced more added value had it been announced before the visit or had it been arranged separately ad hoc. The various authorities, bodies and organisations have different competences and responsibilities but the 'fight against cybercrime' is seen to be a common goal. In February 2015, the Czech Republic adopted the second National Cyber Security Strategy for ; this was followed by the Action Plan, adopted in May The Strategy includes some fundamental principles, such as protection of fundamental human rights, a comprehensive approach to cyber security based on principles of subsidiarity and cooperation, trust-building and cooperation between the public and private sectors and civil society, and cyber-security capacitybuilding. The Strategy also identifies the challenges and main goals in the field of national cyber security. The national legislation complies with the Council of Europe Convention on Cybercrime and with Directive 2013/40/EU on attacks against information systems. Directive 2011/93/EU of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography has also been transposed into national law. A more coordinated approach on statistics at national level would be beneficial in terms of giving an accurate picture of the types of cybercrime, as reflected in the different stages of investigation, prosecution and trial, especially for offences relating to the sexual exploitation of children /1/16 REV 1 CN/ec 5

7 Regarding the national structure of LEAs, there are 14 police units with nation-wide competences. From 1 April 2016 a reorganisation of the police will be in place as regards cybercrime competence, allowing the Unit for Combating Organised Crime to investigate the most serious cybercrime offences as a specialised body at central level. The Organised Crime Unit will include the Cybercrime Department and the Department of Cybercrime Investigation and Analysis. Competence for cybercrime offences will then be shared between the Unit for Combating Organised Crime and Investigation Service and the territorial units. As to prosecution, a network of prosecutors specialising in cybercrime was recently established formally at national level; it includes 17 prosecutors. During the meeting with representatives of the General Prosecutor's Office, a case of trafficking of human beings and child sexual exploitation, which involved the creation of a Joint Investigation Team (SE, ES and CZ), was presented to the evaluation team. The National Cyber Security Centre was established recently. Its primary task is identification of critical information infrastructure. In addition, it performs security audits, exercises, international cooperation and policy work. It also offers legal and policy support for the governmental CERT's (GovCERT.CZ) activity and technical cooperation with LEAs in the field of cybercrime (it can provide technical help in criminal investigations). The National Cyber Security Centre has an important role in education and awareness-raising concerning cyber-attacks and cybercrime. Its basic services may be summarised as follows: reactive, proactive and analytical. Its main roles are handling incidents, testing development and security, and analysis of networks. The Czech Cyber Security Incident Response Team (CSIRT.CZ) fulfils the role of a national CERT and coordinates responses to security threats in computer networks and organises cooperation with internet service providers. It offers help to other private companies in establishing their own CSIRTs. The Czech CSIRT runs the PROKI project, designed to predict and protect against cyberincidents /1/16 REV 1 CN/ec 6

8 Regarding the field of cyber security it should be mentioned that at national level there are already 24 CSIRT teams and one more candidate team. Actions aimed at prevention and public awareness of cybercrime are carried out by a number of authorities within the Czech Republic. These include the National Cyber Security Centre, the lawenforcement authorities and the private sector, academia and non-governmental organisations. These sectors play active roles in prevention and awareness campaigns throughout the country. An important and innovative role is played by the Institute of Computer Science at Masaryk University Brno, which has developed a special tool, KYPO (Cyber Exercise and Research Platform). During the visit the evaluation team witnessed a very impressive simulation on this tool. The Centre offers training for judicial and police academies, investigators and public prosecutors. It organises summer schools and PhD and master's degrees in cyber-security. Funding is provided by the governmental security research instrument under the Ministry of Interior. The National Security Authority, as cyber security national authority, is part of the project steering committee /1/16 REV 1 CN/ec 7

9 2. INTRODUCTION Following the adoption of Joint Action 97/827/JHA of 5 December , a mechanism was established for evaluating the application and implementation at national level of international undertakings in the fight against organised crime. In line with Article 2 of the Joint Action, the Working Party on General Matters including Evaluations (GENVAL) decided on 3 October 2013 that the seventh round of mutual evaluations should be devoted to the practical implementation and operation of European policies on prevention and combating cybercrime. The choice of cybercrime as the subject for the seventh Mutual Evaluation round was welcomed by Member States. However, due to the broad range of offences covered by the term cybercrime, it was agreed that the evaluation would focus on those offences which Member States felt warranted particular attention. The evaluation therefore covers three specific areas: cyber-attacks, child sexual abuse/pornography online and online card fraud; it should provide a comprehensive examination of the legal and operational aspects of tackling cybercrime, cross-border cooperation and cooperation with relevant EU agencies. Directive 2011/93/EU on combating the sexual abuse and sexual exploitation of children and child pornography 2 (transposition date 18 December 2013) and Directive 2013/40/EU 3 on attacks against information systems (transposition date 4 September 2015) are particularly relevant in this context Joint Action of 5 December 1997 (97/827/JHA), OJ L 344, pp OJ L 335, , p. 1. OJ L 218, , p /1/16 REV 1 CN/ec 8

10 Moreover, the Council conclusions on the EU Cybersecurity Strategy of June reiterate the objective of ratification of the Council of Europe Convention on Cybercrime (the Budapest Convention) 5 of 23 November 2001 as soon as possible and emphasise in their preamble that 'the EU does not call for the creation of new international legal instruments for cyber issues'. This Convention is supplemented by a Protocol on xenophobia and racism committed through computer systems. 6 Experience from past evaluations shows that Member States will be in different positions regarding implementation of relevant legal instruments, and the current process of evaluation could also provide useful input to Member States which may not have implemented all aspects of the various instruments. Nonetheless, the evaluation aims to be broad and interdisciplinary and not focus on the implementation of various instruments relating to fighting cybercrime alone, but rather on operational aspects in the Member States. Therefore, apart from cooperation with prosecution services, this will also encompass how police authorities cooperate with Eurojust, ENISA and Europol/EC3 and how feedback from the actors concerned is channelled to the appropriate police and social services. The evaluation focuses on implementing national policies with regard to suppression of cyber-attacks and fraud as well as child pornography. The evaluation also covers operational practices in the Member States with regard to international cooperation and the support offered to victims of cybercrime /13 POLGEN 138 JAI 612 TELECOM 194 PROCIV 88 CSC 69 CIS 14 RELEX 633 JAIEX 55 RECH 338 COMPET 554 IND 204 COTER 85 ENFOPOL 232 DROIPEN 87 CYBER 15 COPS 276 POLMIL 39 COSI 93 DATAPROTECT 94. CETS No 185; opened for signature on 23 November 2001, entered into force on 1 July CETS No 189; opened for signature on 28 January2003, entered into force on 1 March /1/16 REV 1 CN/ec 9

11 The order of visits to the Member States was adopted by GENVAL on 1 April The Czech Republic was the (eighteenth) Member State to be evaluated during this round of evaluations. In accordance with Article 3 of the Joint Action, a list of experts in the evaluations to be carried out has been drawn up by the Presidency. Member States have nominated experts with substantial practical knowledge in the field pursuant to a written request on 28 January 2014 to delegations made by the Chairman of GENVAL. The evaluation teams consist of three national experts, supported by two staff from the General Secretariat of the Council and observers. For the seventh round of mutual evaluations, GENVAL agreed with the proposal from the Presidency that the European Commission, Eurojust, ENISA and Europol/EC3 should be invited as observers. The experts charged with undertaking the evaluation of the Czech Republic were Mr Anton Toni Klančnik (Slovenia), Mr Zsolt Szabolcsi (Hungary) and Ms Nienke Ross (Netherlands). One observer was also present: Ms Anna Danieli (Eurojust), together with Ms Carmen Necula from the General Secretariat of the Council. This report was prepared by the expert team with the assistance of the General Secretariat of the Council, based on findings arising from the evaluation visit that took place in the Czech Republic between 8 and 12 February, and on the Czech Republic's detailed replies to the evaluation questionnaire, together with their detailed answers to follow-up questions /1/16 REV 1 CN/ec 10

12 3. GENERAL MATTERS AND STRUCTURES 3.1. National cyber-security strategy On 16 February 2015, the Government of the Czech Republic adopted the new National Cyber Security Strategy of the Czech Republic for the period 2015 to 2020 (hereinafter 'Cyber Security Strategy'), which was submitted by the National Security Authority (NBÚ), the competent national authority for cyber security issues. The Cyber Security Strategy builds upon and develops its predecessor, the Strategy of the Czech Republic in the Field of Cyber-Security for It was followed by the Action Plan adopted by the Government on 25 th May The Action Plan specifies tasks, competences and the time-frame for meeting the objectives set out in the Cyber Security Strategy, including combating cybercrime. The unavoidable dependence of society on information technology and the associated increase in cybercrime are conceived in the Cyber Security Strategy as being among the main challenges. One of the principles which the Cyber Security Strategy builds upon, therefore, is the need to develop capacity to ensure cyber security, which also involves structures and processes in the area of combating cybercrime. Another of its priorities is to strengthen cooperation between lawenforcement authorities and other relevant bodies. As part of the annual Report on the State of Cyber Security in the Czech Republic, a report on the state of the implementation of the Action Plan is envisaged, as an annex. The report will inform the government and the general public as to the effectiveness of measures adopted and the implementation of tasks defined by the Strategy /1/16 REV 1 CN/ec 11

13 The Cyber Security Strategy and the Action Plan are available in English on websites of the National Security Authority (NBÚ): Promoting the development of the capabilities of the Czech Republic's police to investigate and prosecute cybercrime is the subject of a separate chapter of the Cyber Security Strategy, reflected in the Action Plan by the following tasks: to reinforce the personnel of individual cybercrime police departments; to modernise technological equipment of specialised police departments; to develop cooperation with foreign counterparts; to provide professional education and training to police specialists including language training. The fight against cybercrime is considered in greater detail in the Conception of the Development of Capabilities of the Police of the Czech Republic to Investigate Cybercrime, which was drafted by the Police Presidium of the Czech Republic and adopted by the National Security Council in October This material was created in the context of Government Resolution No 598 of 10 August 2011, and its purpose is to formulate measures to develop suitable long-term conditions for the work of the police force in the detection and prosecution of cybercrime on the territory of the Czech Republic based on the analysis of the current situation. It includes organisational and systemic measures including increasing the personnel of police departments linked to the investigation of cybercrime. The national authorities mentioned as good practice the establishment and development of cybercrime departments staffed by police specialists. What is important is continuous updating of legislation and prevention programmes. Without close cooperation between the government and the private and university sectors, the situation would be difficult /1/16 REV 1 CN/ec 12

14 Another important need is to provide the personal, technical and educational support to experts and professional staff at the Institute of Criminalistics Prague and departments of forensic technique and expertise which, based on the requirements of law-enforcement authorities, provide expert assessments and examinations in the context of cybercrime. More information on the National Cyber Security Strategy was obtained during the evaluation visit from representatives of the National Cyber-Security Centre. They underlined that the strategy contains a definition of cyber security which ensure legal certainty and is very useful in practice in order to identify all cyber-security-related issues. The action plan accompanying the strategy contains a large number of action items (141) and designates 17 responsible entities because in the national authorities view the strategy should not remain merely 'on paper'. Every year the institutions responsible must present an implementation report to the government, which supervises the implementation of the strategy. The NSA plays a coordinating role in the field of cyber security. It operates the National Cyber Security Centre in Brno, which carries out activities on behalf of the governmental CERT and acts as coordinator for immediate response to cyber-incidents. Police liaison officers are also part of this structure. The NSA can also act as 'expert' on cybersecurity issues for the police. It was one of the main drivers of the National Security Strategy and its Action Plan, adopted in May Its responsibilities include the defining of agendas for policy and strategy by means of a dedicated Strategy and Policy Unit, providing legal and strategic support to GovCERT.cz. It also engages in dialogue with the other EU Member States. CSIRT.CZ is active in the region of Prague in the field of prevention and incident handling, especially where repeated or particularly serious. Its role derives from the Act on Cyber Security and a public contract with NSA /1/16 REV 1 CN/ec 13

15 The CERT/CSIRT teams (so far 24 teams have been established, and two more were being set up at the time the visit took place), whether national, governmental, set up by universities, providers, banks, are a significant help in combating cybercrime. The Team observed that teams established in the private sector under the terms of the Cyber Security Act report to CSIRT. Reference was also made to the PROKI Project, launched by the Ministry of the Interior. The project was initiated because of the need to be able to prioritise within the massive amount of information processed on cyber-security issues. From the collection of security incidents, a report should be sent to inform the operators (say once a week), and at the same time this information should be stored in a system for analysis. As of February 2016, it was reported that the system is up and running. The Team also heard about how CZ responded, in 2013, to a week of 'waves' of DDoS cyberattacks against popular news and other media (on Monday), a search engine (on Tuesday), web servers of several banks (Wednesday) and web servers of two mobile operators. The RETN network was the source of the attacks, which luckily were weak and only caused problems in end-user networks. The solution found was to block traffic from abroad: a 'club' of operators as a local peering centre was established in NIX.CZ. Within NIX the project 'FENIX' was initiated, bringing together the biggest local telecommunications companies, hosting companies and service providers. Its members operate trusted networks under strict conditions and can, if necessary, filter out foreign traffic. Those belonging to FENIX contractually prohibit customers from engaging in illegal activities. In the event of a massive attack the targeted operator can shut down connections with attackers and communicate only within the set of FENIX members /1/16 REV 1 CN/ec 14

16 3.2. National priorities with regard to cybercrime National priorities on cybercrime are directly derived from the Cyber Security Strategy - the section 'Main Objectives' (pp ). These priorities are linked to strategic objectives and operational action plans drawn up for cybercrime as among the priorities of the EU. Those identified were as follows: active international cooperation; cooperation with the private sector; research and development / consumer trust; education, awareness-raising and information society development; support for capabilities of the Czech police to investigate and prosecute cybercrime (a separate policy document was produced containing a number of individual points to improve the activities of the police of the Czech Republic in the area of cybercrime) Statistics on cybercrime Main trends leading to cybercrime The largest proportion of innovations in the field of security threats is represented by mobile platforms. Ransomware is increasing on mobile devices, through virtual currencies like Bitcoin. Attacks using advanced techniques have new and more effective ways to identify and bypass sandboxes and other local security measures. Attacks on social platforms are more aggressive and are aimed at consumers' finance and personal information, as well as entrepreneurs' intellectual property and trade secrets /1/16 REV 1 CN/ec 15

17 Mobile malware is becoming the driving force in terms of both technical innovation and numbers of attacks. New PC malware growth is almost non-existent, while new forms in the Android environment have grown by 33%. Virtual currencies encourage the spread of malicious ransomware worldwide. Virtual currencies will provide cybercriminals with the unregulated and anonymous payment infrastructure necessary for obtaining money from their victims. Currencies like Bitcoin allow the spread of a new generation of ransomware, such as Cryptolocker. In the world of cybercrime, advanced attack techniques, such as sandbox-aware attacks, are available. Other technologies include so-called 'return-oriented' attacks, where legitimate applications start to behave in a harmful way, for example, 'self-deleting' malware can cover its trail after reaching its real goal, and advanced attacks also concentrate on specialised industrial control systems focused on public and private infrastructure. Attacks on social networks are ubiquitous and focused on obtaining passwords or user information, location or business activities. This information can be used to target advertisements or to commit virtual or real crimes. New attacks on PCs and servers are focused on weak points above and below the operating system. New attacks on PCs utilise vulnerabilities in Web applications in HTML5. Attacks on mobile platforms that will break the 'sandbox' browsers and give attackers direct access to devices and services are expected. Criminals are increasingly focusing on vulnerabilities of operating systems, as well as BIOS. Deploying enterprise applications based on the 'cloud' creates a space for new attacks. Cybercriminals are exploring ways to use the ubiquitous hypervisors in all data centres, multi-access to users, communication infrastructure of implicit cloud services and infrastructure management, which is used in the provision and monitoring of cloud services on a large scale /1/16 REV 1 CN/ec 16

18 The main trends in the field of cybercrime in the Czech Republic are as follows: Criminal Offences Trends Fraud - failure to deliver ordered goods individual, or via whole fraudulent e- shops - failure to pay for delivered goods (predominantly to customers abroad) - organised fraudulent offers to sell, especially, cars from abroad - 'Nigerian letters' (Scam 419) - fraud through spurious s, for example, of the legitimate EMKEI.CZ service Criminal activities in the field of - dissemination of pornography, child pornography pornography - production and other handling of child pornography - child abuse for the production of pornography - participation in a pornographic performance - establishing of illicit contacts with a child Thefts from accounts - by using malware - by phishing - by abuse of a means of payment Unauthorised gain, falsification and - payment cards, electronic money alteration of a payment instrument Legalisation of proceeds of crime (also - so-called 'work' transfers of stolen as a result of negligence) Hacking Dangerous threats, spreading of alarming messages, dangerous stalking Criminal activities in the area of extremism Criminal activities in the area of copyright protection Forgery and alteration of public documents, official stamps Slander money, disguising its origin - attacks on computer and information systems, accounts etc., and social network accounts intrusion into privacy, obtaining, their damage and/or destroying information + possible related criminal activity - phishing - DDoS and similar attacks - using electronic communications - defamation of nation, race, ethnic or other group of people, incitement to hatred, establishment and promotion of movements aimed at suppressing human rights and freedoms - copying, dissemination, unauthorised use, sharing copyrighted content - computer technology that allows and significantly facilitates forgery and alteration is used - products are distributed via the internet 13203/1/16 REV 1 CN/ec 17

19 Cybercrime in the Czech Republic is currently defined as a crime committed in the environment of information and communication technologies including computer networks; the object of an attack is the very area of information and communication technology. There are also cases of criminal activities with a significant use of information and communication technologies as an important means for their commission. It is thus a broader definition of cybercrime than the definition introduced in this questionnaire. For that reason, the Czech Republic feels the need to mention a new phenomenon in the field of cybercrime, i.e. trafficking in drugs and other illicit commodities, both on the open internet and on the dark net. This criminal activity is not directly addressed in this questionnaire but it is gaining in importance. Not only in the field of the conventional drugs trade, but particularly in the retail of new psychoactive substances, drug precursors, chemicals, medicines and anabolic steroids on the internet, we can clearly observe an increase in both the emergence of specialised e-shops and a variety of advertising offers in recent years. Although at present its share in the total volume of crime and also specifically in drugrelated crime is small, it shows clear growth. Given the difficulty of detection and investigation of this type of crime (personnel, technical equipment, complicated legislation, etc.), it is necessary to pay far more attention to this area of crime from the perspective of the police in the future. Crime statistics for drug offers and trafficking on the internet are not yet separately followed in the system. For the police of the Czech Republic, this area deserves a higher level of support than in the past, since problems are also reflected in procedural issues, particularly in obtaining data from providers of hosting websites operating abroad. As an example, we can mention requirements towards the US, particularly relating to the services of Google Inc., where repeated requests to supplement information on the basis of international legal assistance can take over six months to be processed. A similar situation is also evident in the area of illegal trade in other commodities - weapons, explosives, explosive precursors, etc. As regards statistical indicators, we can present statistics on crimes committed in the environment of information technologies and the internet from the ESSK system (see below). However, offences only partly committed in this environment are not included /1/16 REV 1 CN/ec 18

20 Cybercrime offences in 2014 (as percentages): Fraud 57% Extremist manifestations 1% Vice crime 6% Damage and abuse of media records 12% Infringement to copyright to databases, forgery 6% Unlawful possesion of payment means 2% Dangerous pursuing 1% Dangerous threatening 1% Extortion 1% Forgery and changes to official documents 1% Other criminal activity 13% 13203/1/16 REV 1 CN/ec 19

21 The total (approximate) capacity of messages exchanged through the Department of International Police Cooperation (OMPS) in the period from 2012 to Q3/2015; for specific categories see question 1.6.: Q Number of registered cases of cybercrime Statistical data are provided by the police of the Czech Republic via: Statistical Crime Recording System (hereinafter 'ESSK') this system includes a form with the characteristics of a criminal offence, including indictments and resulting substantive decisions (by police, public prosecutor and court) and a form for statistical reporting of events which are not criminal offences. Evidence of Criminal Procedures (hereinafter 'ETR') a complex information system covering all areas of crime, misdemeanour and other police proceedings including objects, entities, goods and forms; it makes it possible to provide various statistical outputs as well as adding specifics of individual cases 'monitored event information crime'. The majority of criminal complaints originate from individual citizens, not from larger entities such as companies. Statistical data are also collected in the system of Public Prosecutor's Offices and courts. Court statistics are collected separately from the statistics of law-enforcement authorities (however, the substantive decisions are reflected as described above) /1/16 REV 1 CN/ec 20

22 Official national statistics, as mentioned above, are maintained by the law-enforcement sector only (there is no outsourcing, even partial, nor any other similar mechanism). There are also independent studies by private consulting companies that we are aware of; however, these are not taken into account in the official statistics of the law-enforcement authorities and often differ significantly. Crimes in cyberspace, in terms of monitoring requirements under Directive 2013/40/EC and the requirements of the Joint Action 97/827/JHA of 5 December 1997, may be divided as follows: a) crimes against the confidentiality, integrity and use of computer data and a system - sanctioned directly in Sections 230 to 232 of the Criminal Code (see attached statistics); b) crimes of production, distribution and other handling of child pornography in cyberspace; c) other criminal offences committed via the internet (internet fraud), violations of intellectual property rights (piracy). Overview of statistics on the exchange of information via the Department of International Police Cooperation in the period of 2013 September 2015: received from abroad via Interpol and Europol channels, or from national bodies Bureau of Criminal Police and Investigation Service (hereinafter 'ÚSKPV') or other Criminal Police and Investigation Service (hereinafter 'SKPV') bodies sent mainly forwarded to ÚSKPV, or lower units in a follow-up communication received sent received sent received sent received sent child pornography and abuse computer crime CAM notifications fraud and embezzlement /1/16 REV 1 CN/ec 21

23 CAM notifications only report Czech IP addresses and boxes, which have sent, received or stored illicit multimedia files containing child abuse and child pornography. They include the date, precise time, and Czech IP address, the number of illicit files, user registration data (if available) and offer to request evidence. This function, however, is not yet automated. As for other statistics (crimes under points (b) and (c)), their presentation is problematic. Out of the total data, it is not possible to separate / identify offences committed via the internet and other communication technologies (such as crimes in cyberspace), because such distinctions are absent from the statistical sheet. The ESSK police system is currently under development and concrete proposals are being considered to make possible more accurate reporting and monitoring of criminal activities in cyberspace. From 2016 onwards, it will, therefore, be possible to add a relevant distinctive character in the statistical sheet to specify whether a particular offence involved use of the internet (a monitored circumstance of the criminal offence). During the evaluation visit the national authorities informed the evaluation team that cyberincidents had been rising very steeply in recent years. They mentioned reasons such as the great ease of cross-border activity and that sometimes people do not even know that they have become victims of cybercrime. In recent years, thanks to national authorities' efforts, people have become more aware, and reporting is also rising. Victims can easily report illegal activities; since August 2012 hotlines managed by experts have been in place, where many reports of suspicions of cybercrime are received. There is also a pro-active approach on the part of the national authorities to detecting cybercrime incidents, in order to reduce the number of cases. However, there is a rise in fraud, the most usual type being the creation of e-shops which offer goods for low prices and ask people to pay in advance. Another phenomenon is internet banking attacks; the national authorities also mentioned that some phishing pages are very sophisticated and can mislead people /1/16 REV 1 CN/ec 22

24 The other main trends mentioned were: attacks through social networks to collect data, identity theft and cyberbullying, blackmail, extortion and malware. Concerning statistics, it should be mentioned that in the Czech Republic two parallel systems are operated by the police, namely ESSK and ETR. Prosecution offices and courts also collect statistics. However, data regarding child sexual exploitation material and sexual abuse of children are not kept separately, but included in a larger category of offences, called 'vice crimes' along with other offences including trafficking of human beings, prostitution, etc. Statistical data are collected by the Czech police via the ESSK and ETR. As mentioned in the questionnaire, the presentation of statistics on the crimes of production, distribution and other handling of child pornography in cyberspace and other criminal offences committed via the internet and violations of intellectual property rights is problematic. It is not possible to separate or identify offences committed via the internet and other communication technologies because such a distinction is absent from the statistical sheet Domestic budget allocated to prevent and fight against cybercrime and support from EU funding There are no specific budget resources allocated to preventing and combating cybercrime. However, the resources allocated are included in the budgets linked to the fulfilment of the government's priorities and the required resources for the police of the Czech Republic. It is planned that EU funding to combat cybercrime be used. A request for funding from the Internal Security Fund police section (ISF P) for the development of the new cyber unit has recently been submitted (approximately CZK 167 million). Therefore, over the coming years, approximately 195 systemised service positions should be created (within both national and regional units) /1/16 REV 1 CN/ec 23

25 3.5. Conclusions In February 2015 the Czech Republic adopted the second National Cyber Security Strategy, which builds on the main trends of the previous one. At national level there is continuity in preventing and combating cyber security incidents, as well as cybercrime, and this fact highlights current interest in this field. The Strategy is accompanied by the Action Plan, adopted immediately after the Strategy, in May 2015, which establishes many specific targets as well as the institutions responsible. CZ seems to have reached a high level in terms of cyber security prevention and response. Particularly interesting is that CZ was the object of DDoS cyber-attacks in March 2013 which prompted a reaction that led to the creation of a more structured approach in cyberdefence/cyber security. The CZ National Security Authority has just launched the project 'Digital Footprint' as a preventive tool for children. The main scenario concerns an incident or crime committed against a child, e.g. extortion for illicit pictures of a child, spreading personal data etc., and children have to investigate or discover what actually happened. As a more concrete storyline: young girls posted some sensitive pictures on social networks, and the detectives (children) had to search for relevant data and understand the situation so as to avoid becoming victims in reality. The concept is known as 'learning by doing'. The CZ National Security Authority performs prevention and awareness activities for its internal personnel and for public administration personnel, e.g. establishing and implementing security standards, making learning models for public administration (online courses, setting basic administration rules, public communication, basic cyberspace topics, socio-political topics for IT staff at embassies, etc.) /1/16 REV 1 CN/ec 24

26 Statistics are collected by LEAs, prosecution offices and courts. However, a more coordinated approach could be very useful for a clear picture of the dimensions and characteristics of cybercrime, especially for child sexual exploitation cases, which could be reflected in separately in data collected for statistical purposes. The statistics on information exchange relating to relevant cybercrime areas are quite difficult for the evaluation team to understand, especially as regards counting notifications named as 'child pornography and abuse notifications' and 'CAM notifications' as two different entities, while the content of both entities deals with the same matter. As the team understood it, the police statistical system is under development and the specific changes to be introduced should give adequate results even for different cybercrimes. This decision is welcomed and supported by the evaluation team. The national authorities do not allocate a specific budget line for preventing and fighting cybercrime. These activities are carried out using the ordinary budget of the LEAs. During the evaluation visit, the national authorities expressed the intention of making better use of EU funding for combating cybercrime. It is understood that the police are doing their best in prevention and combating cybercrime; on the other hand, the police are not the only stakeholders to be encouraged to receive a specific budget for preventing and combating cybercrime in various areas (cyber-attacks, cyber-fraud with payment cards, child sexual exploitation online) the government should also take further steps in raising awareness in the CZ community, professionals, institutions and NGOs, and should maintain a significant budget for the purpose, including projects run in close cooperation with various population groups and institutions /1/16 REV 1 CN/ec 25

27 4. NATIONAL STRUCTURES 4.1. Judiciary (prosecutions and courts) Internal structure A system of Public Prosecutor's Offices (prosecutors) and the courts (in competence of the Ministry of Justice), which also target cybercrime when taking over the results of the police investigation; effective and timely sanctions also have an impact on the prevention of cybercrime and on increasing legal awareness in this field; jurisprudence is gradually being developed by decisions that can support a proper and accurate interpretation of existing laws or help to generate the necessary impetus for amendments of the law in the future. Their injunction, permitting and supervisory function is also very significant, in cases of serious violations of rights and freedoms of citizens or breaches of confidentiality, and also in gathering evidence linked to cybercrime. Criminal offences in the area of cybercrime are dealt with by the courts of general trial jurisdiction and the Public Prosecutor's Offices; however, they do not have any special powers as regards cybercrime. Related provisions: Exercise of criminal justice by courts: Jurisdiction in criminal matters is exercised by district courts, regional courts, high courts and the Supreme Court /1/16 REV 1 CN/ec 26

28 Exercise of criminal justice by Public Prosecutor's Offices: The Prosecutor's Offices are organised to mirror the organisation of the courts. Under Section 7 of Act No 283/1993 Coll. on the Public Prosecutor's Office: Seats and competence districts (1) The seats of the Public Prosecutor's Offices and their competence districts correspond to those of courts. (2) The Public Prosecutor's Office is responsible for representing the state in the court at which the Prosecutor's Office operates unless a special regulation stipulates otherwise. The Prosecutor's Office appears to have been actively involved in pooling expertise among prosecutors in CZ. It has set up a national network of cybercrime prosecutors (consisting of nearly 20 specialists), which has recently been 'formalised' by decision of all the chief public prosecutors. The team was informed that a national correspondent for cybercrime will also be added to the Eurojust National Coordination System. In addition, the team were provided with a copy of an opinion issued by the Supreme Prosecutor's Office (File No 1/2015) entitled 'Opinion unifying the interpretation of laws and other legal enactments regulating the issue of seizure of mobile phones and other data carriers, including the contents of s'. The team was also given a presentation on best practices in CZ when dealing with international cooperation in criminal matters. Reference was made to issues encountered by CZ as requested/executing country, when the requesting authority needed to send requests to several authorities in the same state. As a solution, national authorities referred to coordination meetings at Eurojust, the use of EJN, and the fact that ultimately CZ changed its system. In general, the outcome is that only one judicial authority (prosecutor's office in pre-trial proceedings, court in trial proceedings) is responsible for the execution of a MLA request, even if evidence has to be gathered in different districts in CZ. A template for a 'Model request for legal assistance consisting in requesting information on telecommunications traffic, including the contents of communication' with the USA was also handed out and presented. The form was drafted by the International Affairs Department of the Prosecutor's Office and competent US authorities /1/16 REV 1 CN/ec 27

29 4.1.2 Capacity for and obstacles to successful prosecution The Czech government has adopted the National Cyber Security Strategy for the period One of its priorities is to strengthen cooperation between the law-enforcement authorities and other entities involved in ensuring cyber-security in the Czech Republic. Existing structures and processes of cooperation in the area of combating cybercrime are being strengthened. The increase in cybercrime, threats and risks associated with the use of social networks on the internet is noted. The strategy expressly provides for and analyses in detail the ability to support the development of the Czech police to investigate and prosecute cybercrime. On the basis of the main goals of this strategy, a detailed Action Plan that defines concrete steps and deadlines for their implementation and monitoring was drawn up. As part of the annual Report on the State of Cyber Security in the Czech Republic, a report on the state of the implementation of the Action Plan is envisaged, in the form of an annex. The report will inform the government and the general public about the effectiveness of measures adopted and the implementation of tasks defined by the Strategy. Currently, a reorganisation of the Department of Information Crime, formerly under the Police Presidium is taking place, with the aim of enhancing the capability to combat and prevent cybercrime. The Department of Information Crime was moved under the Unit for Combating Organised Crime of the Criminal Police and Investigation Service on 1 October Another new department, Department of Cybercrime Investigation and Analysis (V8), within this unit was be established on 1 January 2016, whose aim will be to detect and investigate the most serious crimes in the area of cybercrime. The focus of the Department of Information Crime will then be the development of methodology and support activities to regions; its role as the focal point for international cooperation in this area will continue /1/16 REV 1 CN/ec 28